Monday, May 14, 2012

Automatic Exploit Generation: a Provocative Post

Today I went trough a very interesting paper written by Thanassis Avgerinos, Sang Kil Cha, Brent Lim Tze Hao and David Brumley from Carnegie Mellon University titled: "AEG: Automatic Exploit Generation". The paper describes a technique and an implementation of an automatic engine able to generate exploits from source code and binaries. AEG has been introduced in NDSS 2011 and it is really amazing :D

From the Abstract:

We used AEG to analyze 14 open-source projects
and successfully generated 16 control flow hijacking exploits.
Two of the generated exploits (expect-5.43 and
htget-0.93) are zero-day exploits against unknown vulnerabilities.
Our contributions are: 1) we show how
exploit generation for control flow hijack attacks can be
modeled as a formal verification problem, 2) we propose
preconditioned symbolic execution, a novel technique
for targeting symbolic execution, 3) we present a
general approach for generating working exploits once
a bug is found, and 4) we build the first end-to-end system
that automatically finds vulnerabilities and generates
exploits that produce a shell.

The following picture shows the way the authors designed their Automated Exploit Generation system.

Te system performs both analyses: Static analysis on source code and Dynamic analysis during the runtime execution. It then generates an automated exploit and it verifies it before resulting it as output. Following, an astonishing video proving the reality of the AEG system.

Now, I've never tried AEG, I cannot say that it really works or what are the limits it has got, but I would be very interesting in reviewing it. It seems that it might really change everything into the security world.

On one hand I am a little bit scared about it for two main reasons: (a) it could be used from good guys as well as from bad guys. And bad guys with this powerful tool could act very badly. I know, this is like many other theories and tools in computer security... Even my book could be used from bad guys to learn how to exploit systems right ? My worries here is about the usability. it seems to be pretty "user friendly"and really effective too. Plus it covers almost all areas in the software exploiting process that everybody could use it and be very effective. And (b) AEG rises a serious question: do the security professionals really need to exist anymore ? ( I am very provocative )I know, AEG is probably a very Beta tool, but what will happen once it will be tested and ready to be used ?

Let 's just analyze what happened during the past decade to computer security experts. At the beginning of the computer security era, only few people were able to compromise systems, it was considered something like a gift. Then it become an Art, I remember the magic book of Matt Bishop, Computer Security: Art and Science which fixed basic concepts of what computer security was and what penetration testing was going to happen. Only few skilled people were able to practice such an Art because it was hard to study and difficult to learn such low level techniques. Later on it became a discipline, with tools, weak theories and wide documentation on how to attack or to exploit systems... few scholars were able to exploit systems. Finally it become a Science thanks to Methodologies that made the Exploit process reproducible over time, basically everybody with a strong technical background and passion for the computer security can learn how to compromise it. Now.... is it becoming an automatism ?

AEG seems to be a perfect tool to automate the full stack exploiting process, from analysis to exploiting. The question is the most obvious one: Do we still need penetrator testers, and vulnerability hunters ? )Or it is going to be enough an automatic tool ? (I am provocative deliberately )

Is the exploiting process becoming quick and easy as running an automated tool ? If this is going to happen what will happen to the computer security scientists/expert/engineers ? Anther question, maybe the most important one ... if a software able to discover most of the possible vulnerabilities is going to be available what about the "Computer Security Science" ? Will it be science yet ? Or will it become a simple Technique ? Or even an Automatism ?

Following the exploiting process steps I see :

Gift (few rare persons able to exploit) -- Art (few very skilled people able to exploit) -- Craft (books, tools, and tutorials. Few scholars and very motivated people able to exploit) -- Science (reproducible, basically everybody with strong technical background could be able to exploit) -- Automatism (everybody, or even nobody, there is no need of having people able to exploit, one automata will do it for everybody)